Tuesday, May 24, 2016

The Case for a Divide & Conquer Approach to Penetration Testing

Usually for budget / pricing reasons, some orgs decide to engage a firm with an annual pen test of significant scope (e.g., all ingress / egress, RAS, AD, VoIP, IPS, SIGs, ERP, EHR / EMR, SaaS, WLAN).

However, this approach increases risk of scope, schedule, resource availability, and budgeting from a project management standpoint. 

Stronger orgs, with enough resources, tend to move away from the once and done approach due to the need to assess many vectors, a need for timely and regular remediation actions, and for security compliance purposes (i.e., PCI).

No comments:

Post a Comment